Ok, fangen wir an.
Ziel:
- ein Root-Server (IP: 1.2.3.4)
- 4 VMs, auf denen je ein Webdienst läuft
- 1 VM auf der ein DNS Server läuft
- Alle VMs in verschiedenen Subnetzen (Bereich: 172.30.0.0/16), können also nur geroutet miteinander sprechen, mit Ausnahme der beiden Webserver der w3-App
zusätzliche Netz-Config des Servers:
Code: Alles auswählen
~ # cat /etc/network/interfaces.d/virt-bridge
iface vbr1 inet static
address 172.30.1.1
netmask 255.255.255.0
bridge_ports none
iface vbr2 inet static
address 172.30.2.1
netmask 255.255.255.0
bridge_ports none
iface vbr3 inet static
address 172.30.3.1
netmask 255.255.255.0
bridge_ports none
iface vbr4 inet static
address 172.30.4.1
netmask 255.255.255.0
bridge_ports none
Konfiguration Netzwerk-Karte VM's
Code: Alles auswählen
~ # virsh dumpxml vm1
...
<interface type='bridge'>
<mac address='11:22:33:44:55:66'/>
<source bridge='vbr1'/>
<target dev='vnet3'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
...
Konfiguration Netzwerk VM's
Code: Alles auswählen
~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug ens2
iface ens2 inet static
address 172.30.1.10/24
gateway 172.30.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 8.8.8.8 8.8.4.4
weitere Config auf dem Server:
Code: Alles auswählen
~ # sysctl -w net.ipv4.ip_forward=1
~ # iptables -t nat -A POSTROUTING -o enp3s0 -s 172.30.1.0/24 -j MASQUERADE
~ # iptables -t nat -A POSTROUTING -o enp3s0 -s 172.30.2.0/24 -j MASQUERADE
~ # iptables -t nat -A POSTROUTING -o enp3s0 -s 172.30.3.0/24 -j MASQUERADE
~ # iptables -t nat -A POSTROUTING -o enp3s0 -s 172.30.4.0/24 -j MASQUERADE
~ # iptables -t nat -A PREROUTING -d 1.2.3.4/32 -i enp3s0 -p udp -m udp --dport 53 -j DNAT --to-destination 172.30.4.10:53
~ # iptables -t nat -A PREROUTING -d 1.2.3.4/32 -i enp3s0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 172.30.4.10:53
~ # certbot certonly --webroot -w /srv/www/letsenc --rsa-key-size 4096 -d w1.example.net -d w2.example.net -d w3.example.net
~ # cat /etc/letsencrypt/live/w1.example.net/privkey.pem /etc/letsencrypt/live/w1.example.net/fullchain.pem > /etc/haproxy/ssl/w1.example.net.pem
Und dann kommt der Haproxy dran:
Code: Alles auswählen
~ # cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
userlist stats-auth
group admin users haadmin
user haadmin insecure-password admin-password
group readonly users hastats
user hastats insecure-password stats-password
listen HAProxy-Statistics
bind 1.2.3.4:444 ssl crt /etc/haproxy/ssl no-sslv3
option httplog
option httpclose
stats enable
stats uri /haproxy?stats
stats refresh 20s
stats show-node
stats show-legends
stats show-desc Haproxy
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
frontend www-http
bind 1.2.3.4:80
reqadd X-Forwarded-Proto:\ http
acl letsenc_app path_beg -i /.well-known/acme-challenge/
acl w1_app hdr(host) w1.example.net
acl w2_app hdr(host) w2.example.net
acl w3_app hdr(host) w3.example.net
use_backend letsenc if letsenc_app
use_backend w1-backend if w1_app
use_backend w2-backend if w2_app
use_backend w3-backend if w3_app
frontend www-https
bind 1.2.3.4:443 ssl crt /etc/haproxy/ssl no-sslv3
reqadd X-Forwarded-Proto:\ https
acl secure dst_port eq 443
rspadd Strict-Transport-Security:\ max-age=31536000; if secure
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend w1-backend if { ssl_fc_sni -i w1.example.net }
use_backend w2-backend if { ssl_fc_sni -i w2.example.net }
use_backend w3-backend if { ssl_fc_sni -i w3.example.net }
backend letsenc
server lets01 127.0.0.1:8880 check
backend w1-backend
redirect scheme https if !{ ssl_fc }
balance roundrobin
server w1_01 172.30.1.10:80 check
backend w2-backend
redirect scheme https if !{ ssl_fc }
balance roundrobin
server w2_01 172.30.2.10:80 check
backend w3-backend
redirect scheme https if !{ ssl_fc }
balance roundrobin
server w3_01 172.30.3.10:80 check
server w3_02 172.30.3.20:80 check
Noch ein kleiner NGINX-vHost auf dem Hauptserver:
Code: Alles auswählen
~ # cat /etc/nginx/sites-enabled/letsencrypt
server {
listen 127.0.0.1:8880;
server_name localhost;
charset utf-8;
root /srv/www/letsenc;
location / {
}
}
Ich hoffe ich habe nichts entscheidendes vergessen. Ist schon spät und das entspricht auch nicht wirklich meinem Setup, sollte aber so oder so ähnlich funktionieren...